We've recently started using veriexec on a number of NetBSD machines that
we run, and that run (almost exclusively) third party software coming from
NetBSD. On doing updates, keeping /etc/signatures in sync can sometimes be
a little messy; we want to do minimal updates there and not rebuild the
full signature database right away.
I've started thinking about generating files with pkgsrc packages that
would contain the appropriate replacement lines for the package -- how much
work would that be? (I do not speak pkgsrc internals, so I really have no
clue.) Is that even feasible?

How would you know to trust the veriexec entries in the package,
or do you boot in single user mode to perform the updates?
A variation might be for pkg_add and pkg_delete to be able
to run an external program before package install or removal.
That could then update veriexec signatures or anything else
desired.
--
David/absolute -- www.NetBSD.org: No hype required --